The Commission today adopted a draft mandate to negotiate a new personal data protection agreement with the United States. Such an agreement would cover personal data that have been transferred and are then processed in the context of police and judicial co-operation in criminal matters.

The agreement would provide a high level of protection of personal data. People would have the right to be informed of data processing, to access the information and to request correction or deletion if inaccuracies are found. They would also have the right to seek judicial redress in courts. Independent public authorities on both sides of the Atlantic would help inform people of their rights, particularly in accessing, correcting and seeking redress.

What rules for the protection of personal data are proposed in the draft mandate?

Require that personal data is processed fairly for a specific, legitimate purpose and retained for a limited time only;

Demand limitations in case of onward transfers of this data to a third country;

Stipulate that every person has the right to access the personal data that has been collected about the individual and the right to have it corrected or erased;

Require that compliance with these rules is overseen by independent public authorities on both sides of the Atlantic;

Ensure that there are mechanisms for seeking redress, as well as compensation for any damages suffered as a result of breaches.

Why does data need to be transferred at all?

Processing and transferring personal data is an essential part of fighting crime and terrorism, both within the European Union and when co-operating with international partners.

Since the terrorist attacks of 11 September 2001 in the US and subsequent attacks in Europe and other parts of the world, the EU has enhanced police and judicial co-operation in criminal matters with the US. This has led to the conclusion of several agreements on the transfer of information, notably Passenger Name Records (PNR) and the Terrorist Finance Tracking Programme (TFTP).

The data protection agreement is about the protection of personal data in the event that it has to be transferred. This agreement does not deal with the conditions governing whether data needs to be transferred.

How would the agreement impact on existing agreements?

The intention is to create a coherent legal framework. Therefore, the agreement would apply to any existing (such as PNR and TFTP) and future EU-US agreements that regulate transfers and processing of personal data when co-operating on criminal matters.

Negotiations on TFTP have already started following the Council’s approval of the Commission’s mandate on 11 May. Both sides have indicated that the talks should be concluded quickly given the current security gap (following the European Parliament’s vote on 11 February to reject the interim TFTP agreement, no financial messaging data from Europe is currently being transferred to the US).

Because the general data protection framework agreement will apply to TFTP, any inconsistencies between the two would mean that the TFTP would need to conform to the new agreement, following a transitional period.

Why is a new data protection agreement needed?

The EU and the US share similarities in their approaches to personal data protection, but there are also differences that have made negotiating agreements on data transfers particularly difficult. The right to the protection of personal data is a fundamental right in the EU (Article 8 of the EU Charter of Fundamental Rights) that is enshrined in the EU Treaties. There is no comparable explicit constitutional right in the US. Protection of personal data is dealt with by a variety of sector-specific statutes at US federal and state levels. Removing protection gaps and discrepancies between the two legal systems and thereby improving legal certainty are the main reasons for proposing a new agreement with the US.

There are data protection rules in several specific agreements between the EU and the US, as well as bilateral arrangements between EU Member States and the US. However, there is currently no general umbrella framework for the protection of personal data between the two partners in the area of police and judicial co-operation in criminal matters.

What are the goals of the agreement?

The aim of the agreement is to create a framework of legally binding personal data protection standards that would apply to data transferred between the EU and the US which are processed in the context of police and judicial co-­operation in criminal matters.

The agreement would also seek to obtain legal safeguards to ensure that these fundamental principles fully apply, and are not violated, such as effective independent supervision and mechanisms for compliance and seeking redress.

Who would be covered by the agreement? Does this agreement allow for data transfers in general?

The agreement would be limited to the protection of personal data when it is transferred to and processed by European institutions, bodies, offices and agencies, EU Member States and US public authorities responsible for the prevention, investigation, detection or prosecution of crimes, including terrorism.

The agreement would not provide the legal basis for any specific transfer of personal data between the EU and US. A specific legal basis for such data transfers would always be required. For example, a data transfer agreement or a national law in an EU Member State would be needed. The data protection agreement would then apply to these data transfers.

The agreement would ease the negotiation of any subsequent EU-US agreements concerning the transfer of a specific set of personal data because important aspects could be dealt with by reference to and on the foundation of this agreement.

How can individuals know if their personal data is being stored or processed? What can they do about it?

The agreement aims at enhancing the rights of individuals:

They should be informed about the purpose and categories of personal data that will be processed and by whom.

They should have the right to access their personal data. Any restriction to that right to access must be proportionate and necessary so that, for example, ongoing criminal investigations are not jeopardised.

An independent public authority should be allowed access on behalf of the individual concerned if direct access is not possible.

If personal data is incorrect, individuals should have the right to correct it, or, if appropriate, erase it.

In case of damages suffered due to unlawful processing, there should be a right to compensation.

What is the legal basis of the agreement?

The Lisbon Treaty now offers a new horizontal legal basis that allows the EU to establish rules relating to the protection of individuals with regard to the processing of personal data by EU institutions, bodies, offices and agencies, and by the Member States when carrying out activities that fall within the scope of EU law.